ARP Spoofing Malware

While not new News I had an interest in learning more about malware and MITM attacks.

May 13 said:

In this instance the malware would direct the victim to a page that exploited MS07-017, better known as the Animated Cusor Vulnerability. Now this wasn't the first time ARP Spoofing has been used by malware, for example W32/Snow.a used it to attempt a denial of service attack during early 2006. More recently, in October 2007 the Chinese Internet Security Response Team (C.I.S.R.T) reported that they suspected that a similar attack had been used to compromise user session to their web sites.

The actual method of attack (by W32.Arpiframe) is the same (as above), but what it does in terms of the URLs injected within the IFRAME is different and the exploits used to compromise user systems, which implies that there a different variants floating about that are being updated and maintained to avoid detection by Anti-Virus software.
...
ARP Spoofing is an attack that is often underestimated, yet if successful has far reaching consequences. ARP Spoofing Malware is a growing problem and malware Authors are beginning to implement this technique to steal information and inject malicious traffic. So don't expect to see the threat go away.

At first, we thought this was being injected by a browser helper object or something similar on the client machine. There was no indication of anything malicious running on the client machine based on the data we looked at. We took a network trace from the client machine and saw that the iframe was being returned across the network. This would indicate that either the attack was originating in an NDIS driver of some sort (*) or that it was originating on his network.
...
(*) My reasoning here is that Netmon plugs into the network stack fairly low. In general terms, it looks like this:

IE --> Winsock --> TDI --> TCPIP.SYS --> NDIS --> Hardware

The Netmon Agent sits between TCPIP.SYS and NDIS on NDIS’s upper edge. For something to show up in a network capture, it would have to originate either in NDIS or on the network.

We are very sorry that when sometimes visiting our some pages, malicious codes are inserted. We think it doesn't mean that our website has been compromised. It's maybe due to ARP attack. We have informed our webserver provider to help us check whether it's due to ARP attack or not.

W32/Snow.a
This is a parasitic virus that searches and infects Windows Portable Executable (PE) files that typically has the .EXE file extension.
It appends a new section of viral code to the end of an infected file.

W32.Arpiframe
The worm then gathers the local subnet address, such as 192.168.1.x, and runs an ARP-poisoning attack on the local network to infect other computers. The attack uses WinPCap libraries to inject the following malicious IFRAME code into HTTP traffic of the local network:
[hxxp://]1xxx4.8xxx1.cn/woya[REMOVED]